Beat Back Viruses

Protecting your network from email viruses and spam has become a full-time job; finding the right antivirus software can make all the difference in whether it's a job well done. To help you, I tested the Microsoft Exchange Server versions of the top five products from the Best Antivirus/Mail Server category in Windows IT Pro's 2004 Readers' Choice awards: Computer Associates International (CA) eTrust Antivirus 7.1 Option for Microsoft Exchange, McAfee Active Mail Protection, Sybari (recently purchased by Microsoft) Antigen for Microsoft Exchange 8.0, Symantec Mail Security for Microsoft Exchange 4.6, and Trend Micro ScanMail for Microsoft Exchange 7.0. (Pick up next month's issue of Windows IT Pro to discover this year's winners.)

My lab consisted of two virtual machines—a domain controller (DC) and an Exchange server—on one dual-processor host system. I evaluated the products on the basis of their virus-scanning accuracy, spam- and content-filtering capabilities, and management functionality. I used virtual machines to provide a consistent test environment, but the overhead of the virtual machines magnified the performance differences between the products. Therefore, although I evaluated the products' performance against a baseline and against one another (as I explain in the Web sidebar "Performance," http://www.windowsitpro.com, InstantDoc ID 46978), I didn't consider performance to be the deciding factor in my final decisions.

I configured the Exchange server with 512MB of RAM, gave it exclusive use of one CPU, and put its virtual hard disk on a different disk than the host OS. For my antivirus tests, I disabled each product's spam- and content-filtering functions but left all other options at their defaults. I chose 4303 unique viruses from various virus-exchange Web sites; I chose viruses labeled win32, worm, macro, or .bat (i.e., batch file). Some vendors, such as McAfee and Symantec, try to catch all viruses, regardless of threat level. Others, such as Trend Micro, target their antivirus-definition files toward real-world threats that you'll find in the wild. The first approach resulted in high accuracy but poor performance in my tests; the second approach had the opposite effect. Because many of the viruses I chose aren't currently common in the wild (and because performance differences on production servers will likely be less drastic than they were in my tests), I suggest you consider the product's virus-catching approach as only one aspect of the products' overall capabilities. I used Microsoft SMTP server on the host machine to deliver 4303 virus-infected attachments to one user on the Exchange server, then repeated the test. Table 1 lists the number of viruses that each product caught (best of the two passes).

One way that malicious entities get past antivirus systems is by compressing or encoding malicious content. Therefore, I also sent a compressed or encoded copy of the Melissa virus, as well as a .zip file compressed within a .zip file to determine whether each product supported recursive archives; they all did. (I didn't test encrypted .zip files because encryption prevents the in-transit viewing upon which these products depend.) Table 2 lists the archive formats that each product was able to scan. To my dismay, none of the products were able to scan ISO images, which can be especially troublesome if infected with a virus.

Spam and content filtering (i.e., searching incoming or outgoing content for key words or phrases) are increasingly important in today's atmosphere. The McAfee, Sybari, Symantec, and Trend Micro products all supported content-filtering of both messages and attachments, either natively or through add-ons. (CA provides content-filtering through a separate product, eTrust Secure Content Manager, which was unavailable for review because of an upcoming release.) Content-filtering products must be able to read a file's format to filter its content, so I tested each product with eight common document formats. Table 3 shows the results.

After my accuracy and performance tests, I added a second Exchange server to test each product's management capabilities. Let's take a closer look at the individual products and their test results.

CA offers two virus scanning engines—Vet and InoculateIT—but eTrust Antivirus can scan with only one engine at a time. eTrust also performs heuristic scanning to detect viruses even before new definition files are released, but the documentation offers no additional explanation of the factors that the product uses for heuristics.

eTrust integrates with a CA Unicenter TNG module, but you don't need that product to manage remote servers from any console. Configuration was simple and involved only the small dialog box that Figure 1 shows. Another console let me view logs and monitor quarantined files but lacked detailed reporting or alerting based on detection rates (to help identify outbreaks).

eTrust offered an excellent balance of accuracy and performance in my tests, falling only slightly short of Symantec's and McAfee's products. I can't give the product my complete blessings without having reviewed Secure Content Manager, but if you're looking only for antivirus capabilities at an excellent price, I highly recommend eTrust Antivirus.

CA eTrust Antivirus 7.1 Option for Microsoft Exchange

Contact: Computer Associates International * 631-342-6000Web: http://www.ca.comPrice: $40 per server; no annual virus definition subscription feeSummaryPros: Great balance of accuracy, performance and price; multiple scan engines; heuristic virus scanningCons: Can use only one scan engine at a time; offers minimal reporting functionalityRating: 3 out of 5Recommendation: Great antivirus-only solution. (The vendor's content-filtering product was unavailable for testing.)

McAfee's Active Mail Protection suite was designed with enterprise-class management in mind. ePO (which is really more of a framework) let's you distribute GroupShield and SpamKiller to multiple Exchange servers and centrally manage policies, alerts, and reporting. The product uses a Microsoft SQL Server or Microsoft SQL Server Desktop Engine (MSDE) back-end and can be managed by remote consoles from anywhere on your network.

Active Mail Protection came out on top for virus-scanning accuracy in my tests but took the second-longest time to deliver messages. The product came out on top as far as supported file formats go, catching 13 file types. SpamKiller's content filtering doesn't support regular expressions—a powerful, standardized syntax for searching text—but it does support simple wildcards. Active Mail Protection also includes extensive categorized lists of predefined filtered words to target inappropriate content. You can build custom lists and assign words a high, medium, or low severity for granular content control. I consider regular expressions a prerequisite for filtering of any type, but if you can live without them, Active Mail Protection might be the best solution for you. I rated Active Mail Protection a close second in this review; my decision came down to my personal preferences for specific features: the regular expressions–based content filtering and Microsoft Management Console (MMC)–based multiserver management console that Symantec offers.

McAfee Active Mail Protection

Contact: McAfee * 888-847-8766Web: http://www.mcafee.comPrice: Starts at $54.10 per mailbox per year for 11 to 25 users; annual virus definition subscription fee starts at $21.64 per mailbox per year for 11 to 25 usersSummaryPros: Excellent antivirus accuracy; best support for content filtering in compressed attachments; great multiserver managementCons: Could have a significant performance impact on slow servers; doesn't support regular expressions for content filteringRating: 4 out of 5Recommendation: This full-featured product came in a close second. In fact, if your mail server is beefy, price is an issue, and you simply can't compromise on antivirus accuracy, this product might be your best bet.

Antigen for Microsoft Exchange 8.0
Sybari's first claim to fame was that its product replaced the Exchange Extensible Storage Engine (ESE) DLL with Sybari's version in Exchange Server 5.5, with the purpose of offering features and performance that Microsoft didn't yet support. If the idea of letting a program replace your Exchange DLLs makes you sweat, you'll be glad to know that Sybari Antigen for Microsoft Exchange can now use either ESE- or Exchange Virus Scanning API (VSAPI)-based scanning.

Antigen supports eight scanning engines, using CA Vet and InoculateIT, Norman Data Defense, and Sophos Anti-Virus by default (as Figure 3 shows) and also offering support for Command, Kaspersky, Virus Busters, or AhnLab V3 engines (if you've purchased them). The idea is that if one engine misses a virus, another will catch it, but after testing the product, I don't buy this theory. Antigen came in fourth in my accuracy tests. You might wonder why Antigen's accuracy results were lower than eTrust's even though Antigen uses both CA scan engines. By default, Antigen uses at least two engines to scan each message, but it determines how many engines must complete a scan of each message at runtime. You can use this setting, called the bias, to direct Antigen to use only one engine, multiple engines, or all available engines, depending on your requirements. Sybari recommends setting the bias to Maximum Certainty during a virus outbreak. When using bias settings other than Maximum Certainty, Antigen chooses from the available engines, but gives priority to engines based on historically accuracy and the age of virus definitions.

Antigen has an easy-to-use set of management features. You can perform remote installations, manage multiple servers, and configure automatic updates of all the scanning engines from one client installation or from the web-based Sybari Enterprise Manager (SEM). The product also lets you switch between ESE scanning mode and VSAPI scanning mode after installation.

Poor accuracy, sub-par performance, poor support for scanning file types, and no content filtering inside attachments prevents me from recommending Antigen. Still, you might consider the product for larger Exchange infrastructures that have plenty of extra CPU cycles to run additional engines with a bias towards certainty or if you want to go with an all-Microsoft solution.

Correction (Added online after publication date):
I had some additional notes about Antigen that didn’t make it into the print issue of this article. For users considering the product in larger environments, Sybari’s multiple scan engine technique can offer many benefits. For example, you can run Antigen on Exchange Server bridgehead servers and backend servers. Antigen can use the Max Certainty bias setting to get the benefits of all its scan engines on the bridgehead server where performance is less of a consideration. Antigen can then use the Favor Performance bias setting on backend servers where performance directly impacts user’s experience. Such an environment can give you the best of both worlds. Also remember that although using multiple scan engines takes more processor power, the effects aren’t cumulative; Two engines doesn’t take twice as long as using one.

Antigen had some other benefits not fully described in print. The Sybari suite I tested included Sybari Advanced Spam Manager for spam and content filtering. Sybari’s Intelligent suite supports setting the Exchange Spam Confidence Level (SCL) to quarantine spam or forwarded it to Outlook junk mail folders.

Also note that although the current version of Antigen doesn’t perform content filtering within attachments, it fully supports blocking attachments based on the file type and scanning attachments for viruses. Sybari will include content filtering inside attachments in the next version of the Antigen.

Mail Security for Microsoft Exchange 4.6
Symantec Mail Security for Microsoft Exchange's virus-scanning accuracy took only a slight second to Active Mail Protection's and offered much better performance in my tests. Although Mail Security, which Figure 4 shows, missed some attachment types in my content-filtering tests, it was the best overall solution and wins Editors' Choice in this comparative.

Two noteworthy features of Mail Security are Rapid Release virus definitions and Premium AntiSpam. Rapid Release definitions are released earlier than Symantec's regular virus definitions are, but are tested less-thoroughly and tested only on Windows. Using Rapid Release is free and can help protect against new threats. Premium AntiSpam (originally a Brightmail product) is a separately purchased, signature-based antispam add-on that blocks messages from known and suspected spammers. Symantec reports that these antispam signatures are created by using data from more than 20 million decoy email accounts. If you don't want to buy Premium Antispam, Mail Security includes basic heuristic- and blacklist-based antispam functionality. Both versions let you take action according to Exchange Spam Confidence Level (SCL) values; you can specify which SCL value you want the product to set on detected spam. Disappointingly, Mail Security's content filtering failed to catch problem text inside a .pdf, .rtf, and zipped word file. However, it did successfully filter a Unicode text file, something both GroupShield and ScanMail failed to do.

In addition to remote deployment, Mail Security includes the multiserver console, an MMC snap-in that lets you manage remote instances by user-defined groups. The console let me synchronize settings with the server that I added for management testing. My only complaint was that the multiserver console requires a separate machine on which to store configuration data, so all your messaging administrators must have access to that system.

Mail Security offered great accuracy and acceptable performance. I loved the regular expressions–based content filtering, detailed options for integrating with SCLs in Exchange, and the well-organized, responsive UI.

ScanMail offers a spam-filtering technology (similar to Symantec's Premium Antispam) but doesn't let you control how it sets SCLs in Exchange. The product's content filtering supports regular expressions and scanned inside most of the attachment types that I tested.

Though not as complex as Mail Security or Active Mail Protection, ScanMail's management features are probably sufficient for most organizations. The ScanMail installer let me simultaneously deploy the product to multiple Exchange servers. Each server connects to a Web-based management console, but you can automatically replicate settings to other servers to manage a larger Exchange infrastructure. And ScanMail's outbreak-management feature can generate alerts according to the number of viruses or attachments blocked in a given period.

Trend Micro's virus-definition strategy might make its results look less than optimal, but the viruses it misses might not be ones you'd see in the wild. The product's performance and feature set were both amazing, so I strongly recommend ScanMail if speedy email delivery is of paramount importance.

Trend Micro ScanMail for Microsoft Exchange 7.0

Contact: Trend Micro * 877-268-4847Web: http://www.trendmicro.comPrice: Starts at $41.40 per mailbox per year for 5 to 25 users; annual virus definition subscription fee costs 30 percent of purchase priceSummaryPros: Minimal impact on mail-server performance; supports regular expressions for content filteringCons: Virus database isn't as extensive as other reviewed products'; content filtering missed Unicode text fileRating: 3.5 out of 5Recommendation: If speedy email delivery is of paramount importance, consider this product, but be aware that its targeted approach is likely to let viruses through sooner or later.

Get What You Need
I've tried to give you an idea of how some of our readers' favorite mail-server antivirus products stack up, but take a look at the features listed in Table 4 to get more information about which product offers the features that matter most in your environment. Also, you can find out about many other available Exchange antivirus products by visiting our IT Solution Center (see Interact! for details).